b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05

General

Target

b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05.exe
Size

124KB
MD5

7f97f16bef7560633680c07abb9d1a3d
SHA1

605a5d2749fbc45e4fc614c57d1897f66bbe3752
SHA256

b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05
SHA512

13d0357ac3cf947069d71c6103c6c3d58adc59506d995fe9b930b910d71fdca65d17d68566213cc32bab422e6e15964c51bac6a994143f811304062ef185669c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sihost.exe

pid process

2436 sihost.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

744 schtasks.exe
2520 schtasks.exe

pid	process
2436	sihost.exe

pid	process
744	schtasks.exe
2520	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05.exesihost.exe

description	pid	process	target process
PID 628 wrote to memory of 744	628	b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05.exe	schtasks.exe
PID 628 wrote to memory of 744	628	b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05.exe	schtasks.exe
PID 628 wrote to memory of 744	628	b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05.exe	schtasks.exe
PID 2436 wrote to memory of 2520	2436	sihost.exe	schtasks.exe
PID 2436 wrote to memory of 2520	2436	sihost.exe	schtasks.exe
PID 2436 wrote to memory of 2520	2436	sihost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05.exe
"C:\Users\Admin\AppData\Local\Temp\b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
2⤵
- Creates scheduled task(s)
PID:744

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
2⤵
- Creates scheduled task(s)
PID:2520

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
MD5
7f97f16bef7560633680c07abb9d1a3d

SHA1
605a5d2749fbc45e4fc614c57d1897f66bbe3752

SHA256
b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05

SHA512
13d0357ac3cf947069d71c6103c6c3d58adc59506d995fe9b930b910d71fdca65d17d68566213cc32bab422e6e15964c51bac6a994143f811304062ef185669c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
MD5
7f97f16bef7560633680c07abb9d1a3d

SHA1
605a5d2749fbc45e4fc614c57d1897f66bbe3752

SHA256
b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05

SHA512
13d0357ac3cf947069d71c6103c6c3d58adc59506d995fe9b930b910d71fdca65d17d68566213cc32bab422e6e15964c51bac6a994143f811304062ef185669c

Download Submit
memory/628-114-0x00000000004B0000-0x000000000055E000-memory.dmp

Filesize
696KB

Download
memory/628-116-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/744-115-0x0000000000000000-mapping.dmp

Download
memory/2436-121-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2436-120-0x0000000000500000-0x0000000000504000-memory.dmp

Filesize
16KB

Download
memory/2520-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads